Newest iOS Vulnerabilities and How Check Point Customers Remain Protected

By Yael Macias, Product Marketing Manager, Endpoint & Mobile Security

And Danielle Guetta, Product Marketing Specialist, Email Security

Last week, cyber security firm ZecOps announced that it had discovered two serious vulnerabilities in the iOS Mail app which allow an attacker to remotely infect an iPhone or iPad and gain full control over their inbox. The security flaws affect iOS 6 through iOS 13, and according to the firm, attacks that exploit these vulnerabilities have been taking place for about two years. The first in-the-wild sample was seen in January 2018.

One of the vulnerabilities has the capability to enable an attacker to remotely infect an iOS device by sending emails that consume a large amount of memory. The vulnerability is triggered without any user interaction – zero-click – in iOS 13, and with one needed click to open the email in iOS 12. Another vulnerability has remote code execution capabilities. Successful exploitation of the vulnerabilities could potentially allow an attacker to leak, modify, or delete a user’s emails.

While it still remains to be seen whether these vulnerabilities actually succeed in compromising iOS users, it proves yet again that iOS is not that secure. While Apple keeps stricter policies when it comes to uploading applications to their official App Store, their devices can still be penetrated in other ways: phishing campaigns, malicious certificates, Man-in-the-Middle attacks, or remote code execution that is embedded in malicious campaigns delivered via email, such as this one. These news serve as a reminder that, while users should put their trust on their operating system providers, they should also be wary of the growing number of threats to mobile devices and take security measures of their own, even on iOS.

Until a security patch is released we recommend disabling the native email app and working with other email clients.

Check Point Customers Remain Protected

Since the nature of the attack is ‘zero-click’ and requires no user interaction, it must be blocked before it reaches the inbox. CloudGuard SaaS accounts that are in Protect (Inline) mode remain protected and require no action on their part.

CloudGuard SaaS accounts that are in Monitor or post-delivery Detect and Prevent mode should be changed to Protect (Inline) mode. This will ensure the email is quarantined prior to reaching the inbox and that customers are protected from this attack as well as other Zero-Day (and zero-click) attacks.

If the vulnerabilities are used as part of an exploit chain to gain full access on the device, and the device is jailbroken, SandBlast Mobile will detect the jailbreak and raise an alert to both the user and administrator.

In case the attack is used to steal data from the mobile device by using network connections to a remote Command and Control server, the Anti-Bot feature of On-device Network Protection (ONP) will block the communication.

Once Apple releases a security patch, SandBlast Mobile will alert and enforce device updates to the latest OS version.